Thank you!
We will contact you soon to
ask how we can improve our documentation.We appreciate your feedback.

Was this topic helpful?

YesNo

Thank you for your feedback. Can we contact you to ask follow up questions?

*Please enter a valid email address

How can we improve?

*This field is required. Please let us know how we can provide you with better help.

Initiate precision packet captures to analyze zero window conditions

In TCP metrics, window size specifies the amount of data that a device can receive and
process during a flow. When the window size is zero, transmissions are halted until the device
signals that it has the space to receive data again.

Zero window conditions that last 1 or 2 seconds are not too unusual, especially during periods
of heavy traffic. However, longer-lasting zero window conditions can indicate a more serious
problem and cause performance issues.

You can create a dashboard or configure alert notifications to track zero window occurrences,
but the cause can be hard to determine. For example, CPU, memory, and NIC usage might be normal,
and you don’t know if the issue is with the network, the servers, or the application. But you can
always find the truth in the packet!

In this walkthrough, you will create a trigger that captures packets with zero window
conditions on database response and request flows. Then, you will download the captures so that
you can upload the data to a packet analyzer to help you determine the state of the client and
server on a flow when zero window conditions occurred.

Prerequisites

You must have access to an ExtraHop Discover appliance with a user account that has unlimited privileges.

Assign the trigger to a source

In the following steps, you will assign a trigger to a data source. A trigger does
not run until it is assigned to a source, and the trigger gathers data only from the sources
to which it is assigned.

For the purposes of this walkthrough, the following procedure assigns the trigger to
a device group called DB Servers. You should assign the triggers to the devices or
device groups on your network that you want to monitor for zero window
conditions.

Important:

Running triggers on unnecessary devices and networks exhausts
system resources. Minimize performance impact by assigning a trigger only to the
specific sources that you need to collect data from.

Click Metrics from the top menu.

Click Device Groups in the left pane, and then select
DB Servers.

Click the Assign Trigger icon from the top of the page.

Select the trigger you just created named Zero Window
PCAP.

Click Assign Triggers.

View debug output in the runtime log

In the following steps, you will view the trigger debug output to confirm that the
trigger is running and capturing packets. After you assign the trigger to your data sources,
the system runs the trigger when database traffic occurs, and if any transactions contain a
zero window, the system sends debug results to the runtime log.

Click the System Settings icon , and then click Triggers.

Click the Zero Window PCAP trigger you just
created.

Click the Runtime Log tab.

The runtime log displays results similar to the following figure:

Download and view packet captures

In the following steps, you will download packet captures from the ExtraHop Admin
UI.